Child pages
  • Installing a SimpleSAMLphp SP

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: archive fingerprint instructions


Note

This manual is written for CentOS 7.  Adjust accordingly for other OS distributions.


SimpleSAMLphp is an alternative SP implementation that can be used in place of Shibboleth SP - and can be particularly suitable on hosted servers without root access or the ability to install full software packages. This page documents the basic install of SimpleSAMLphp Service Provider and the configuration steps necessary to integrate the SP into Tuakiri.

...

  • A web server (Apache installed) with PHP (5.2.0+)
    • To meet the PHP version requirement, the OS has to be CentOS/RHEL 6 (CentOS 5 has only PHP 5.1.x)
  • The following PHP modules:
    • XML DOM (php-xml)
    • MCrypt (php-mcrypt)
    • Multi-byte string support (php-mbstring)
    • Basic PDO database support (php-pdo) for storing sessions (at least SQLite3).
    • Optionally, also MySQL support (php-mysql)

      No Format
      yum install httpd mod_ssl php php-mcrypt php-xml php-pdo php-mbstring
      


  • Configure SELinux: if your system has SELinux enabled, allow Apache to send email (otherwise, invocation of sendmail(postfix) from PHP breaks):

    No Format
    setsebool -P httpd_can_sendmail on
    
    • And if using SELinux, also install the policycoreutils-python package to get the semanagecommand which we will need later:

      No Format
      yum install policycoreutils-python
      


Basic steps

  • Download simpleSAMLphp from https://simplesamlphp.org/download (1.

    14

    16.

    8

    3 as of August

    2016)

    2020)

    Note

    As SimpleSAMLphp 1.17.0 and above requires PHP 5.5+, but CentOS 7 only comes with PHP 5.4, the latest version that can be used on CentOS 7 is 1.16.3.

    For other OS distributions, check PHP version available and the requirements of the target SimpleSAMLphp version.


    • Install into /opt and not /var as instructed in the SimpleSAMLphp manual.
    • In the web server space, SimpleSAMLphp will be accesible as /simplesaml

      No Format
      cd /opt
      tar xzf ~/inst/simplesamlphp-1.14.4.tar.gz
      mv simplesamlphp-1.14.4 simplesamlphp
      


  • Alias this directory as /simplesaml - create /etc/httpd/conf.d/simplesaml.conf with:

    No Format
    Alias /simplesaml /opt/simplesamlphp/www

     


    • And on systems with Apache 2.4 (like CentOS or RHEL 7), explicitly grant permission to the directory - otherwise, Apache would reject to server the SimpleSAMLphp code - default access in Apache 2.4 is Require all denied: add this to the /etc/httpd/conf.d/simplesaml.conf file created above:

      Code Block
      <Directory /opt/simplesamlphp/www>
        AllowOverride none
        Require all granted
      </Directory>


  • Do some basic changes to /opt/simplesamlphp/config/config.php:
    • Set auth.adminpassword to a new password.
    • Set secretsalt to a new random string (- can also generate with ":

      No Format
      openssl rand -base64 24

      ")


    • Set technical contact name and email address.
    • Optionally, set timezone to 'Pacific/Auckland' - or leave as NULL to rely on OS

...

  • Edit /opt/simplesamlphp/config/authsources.php and add references to the certificate to the default-sp definition:

    No Format
            'default-sp' => array(
                    'saml:SP',
                    'privatekey' => 'saml.pem',
                    'certificate' => 'saml.crt',
    


...

  • Create a directory to cache the downloaded federation metadata (writable writeable by Apache - this also means setting the SELinux context if SELinux is enabled on your system):

    No Format
    mkdir /opt/simplesamlphp/metadata/metarefresh-tuakiri
    chown apache.apache /opt/simplesamlphp/metadata/metarefresh-tuakiri
    # Set SELinux context to give Apache RW access - if SELinux is enabled on your system
    chcon -t httpd_sys_rw_content_t /opt/simplesamlphp/metadata/metarefresh-tuakiri/
    # And record the context setting in the SELinux policy database so that it goes not get lost in a SELinux relabel
    semanage fcontext -a -t httpd_sys_rw_content_t '/opt/simplesamlphp/metadata/metarefresh-tuakiri(/.*)?'
    


  • Download the metadata signing certificate for the federation metadata into /etc/shibboleth:
    • For Tuakiri, run:

      No Format
      wget https://directory.tuakiri.ac.nz/metadata/tuakiri-metadata-cert.pem -O /opt/simplesamlphp/cert/tuakiri-metadata-cert.pem


    • or for Tuakiri-TEST, run:

      No Format
      wget https://directory.test.tuakiri.ac.nz/metadata/tuakiri-test-metadata-cert.pem -O /opt/simplesamlphp/cert/tuakiri-test-metadata-cert.pem


  • Edit config/config-metarefresh.php:
    • Replace 'kalmar' with the federation name ('tuakiri')
    • Set the download URL - either for Tuakiri Production:

      No Format
         'src' => 'https://directory.tuakiri.ac.nz/metadata/tuakiri-metadata-signed.xml',
      


    • Or Tuakiri-TEST:

      No Format
         'src' => 'https://directory.test.tuakiri.ac.nz/metadata/tuakiri-test-metadata-signed.xml',
      


    • Set output directory and format (use 'serialize'format):

      No Format
                              'outputDir'     => 'metadata/metarefresh-tuakiri/',
                              'outputFormat' => 'serialize',
      


    • Set expiry date to 7 days to match Tuakiri

      No Format
                              'expireAfter'           => 60*60*24*7, // Maximum 7 days cache time.
      


    • Change the list of accepted certificates to the metadata signing certificate downloaded above (use tuakiri-test-metadata-cert.pem for Tuakiri-TEST:

      Code Block
                                              'certificates' => array(
                                                      'tuakiri-metadata-cert.pem',
                                              ),


    • Remove/comment-out the validateFingerprint entry (see note below for explanation)

      Note

      Older versions of SimpleSAMLphp did not support directly referring to a certificate and instead required embedding the certificate fingerprint in the configuration.

      For historical and archival purposes, the instructions are included here - but can be ignored in favour of using the above certificates setting:.

      Expand
      • Set the 'validateFingerprint' to the fingerprint value of the metadata issuing certificate
        • Tuakiri-PROD: 06:85:C5:89:2F:38:83:98:77:1B:A4:5D:58:A4:06:3A:A4:C1:CE:45
        • Tuakiri-TEST: 5E:90:2D:F9:D9:5A:5A:95:BF:58:4D:02:AD:29:35:64:CC:BF:76:45
      • To calculate the fignerprint yourself:
        • Download the metadata signing certificate (for Tuakiri-PROD and Tuakiri-TEST, they are linked from the instructions on registering an SP into Tuakiri)
        • and get the fingerprint value with:

          No Format
                openssl x509 -fingerprint -noout -in metadata-cert.pem 
          




  • Edit config/config.php and add an extra entry into 'metadata.sources'

    No Format
       array('type' => 'serialize', 'directory' => 'metadata/metarefresh-tuakiri'),
    


...

  • Create attributemap/tuakiri-attrs.php with the following contents (adding on to what already exists in attributemap/oid2name.php )

    No Format
    <?php   
    $attributemap = array(
            'urn:oid:1.3.6.1.4.1.25178.1.2.10' => 'schacHomeOrganizationType',
            'urn:oid:1.3.6.1.4.1.5923.1.1.1.11' => 'eduPersonAssurance',
            'urn:oid:1.3.6.1.4.1.27856.1.2.5' => 'auEduPersonSharedToken',
    );
         
    ?>
        
    


  • Edit config/config-metarefresh.php and add a reference to this file in the template for IdPs downloaded via metarefresh:

    No Format
                                            'template' => array(
                                                    'tags'  => array('tuakiri'),
                                                    'authproc' => array(
                                                            51 => array('class' => 'core:AttributeMap', 'oid2name', 'tuakiri-attrs'),
                                                    ),
                                            ),
    


  • To also configure friendly attribute names, add the following after the first line of dictionaries/attributes.definition.json (note that eduPersonAssurance already has an entry there, does not need to be duplicated)
No Format
        "attribute_schachomeorganizationtype": {
                "en": "Home organization type"
        },
        "attribute_auedupersonsharedtoken": {
                "en": "Shared token"
        },

...